evince crashed with SIGSEGV in FT_Get_Char_Index()

Bug #208485 reported by toobuntu on 2008-03-28
88
Affects Status Importance Assigned to Milestone
libcairo
Fix Released
Medium
poppler (Ubuntu)
Medium
Unassigned
Hardy
Medium
Unassigned

Bug Description

Binary package hint: evince

attempting to print this pdf with evince in Hardy:
http://www.linux-magazine.com/w3/issue/86/Email_Suites_Review.pdf

and evince crashed without printing it.

$ apt-cache policy evince libpoppler2 libcairo2
evince:
  Installed: 2.22.0-0ubuntu2
  Candidate: 2.22.0-0ubuntu2
  Version table:
 *** 2.22.0-0ubuntu2 0
        500 http://us.archive.ubuntu.com hardy/main Packages
        100 /var/lib/dpkg/status
libpoppler2:
  Installed: 0.6.4-1
  Candidate: 0.6.4-1
  Version table:
 *** 0.6.4-1 0
        500 http://us.archive.ubuntu.com hardy/main Packages
        100 /var/lib/dpkg/status
libcairo2:
  Installed: 1.5.14-0ubuntu1
  Candidate: 1.5.14-0ubuntu1
  Version table:
 *** 1.5.14-0ubuntu1 0
        500 http://us.archive.ubuntu.com hardy/main Packages
        100 /var/lib/dpkg/status

$ lsb_release -dr
Description: Ubuntu hardy (development branch)
Release: 8.04

ProblemType: Crash
Architecture: i386
Date: Fri Mar 28 17:06:55 2008
DistroRelease: Ubuntu 8.04
ExecutablePath: /usr/bin/evince
Package: evince 2.22.0-0ubuntu2
PackageArchitecture: i386
ProcCmdline: evince file:///tmp/Email_Suites_Review.pdf
ProcEnviron:
 PATH=/home/username/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
 LANG=en_US.UTF-8
 SHELL=/bin/bash
Signal: 11
SourcePackage: evince
StacktraceTop:
 FT_Get_Char_Index () from /usr/lib/libfreetype.so.6
 FT_Get_First_Char () from /usr/lib/libfreetype.so.6
 ?? () from /usr/lib/libcairo.so.2
 ?? ()
 ?? ()
Title: evince crashed with SIGSEGV in FT_Get_Char_Index()
Uname: Linux 2.6.24-12-generic i686
UserGroups: adm admin audio cdrom dialout dip floppy fuse lpadmin plugdev users video

toobuntu (toobuntu) wrote :

StacktraceTop:FT_Get_Char_Index (face=0xb54f0530, charcode=0)
FT_Get_First_Char (face=0xb54f0530, agindex=0xb6a26e28)
_cairo_ft_map_glyphs_to_unicode (abstract_font=0xb54edcd8, font_subset=0xb6a26fbc)
_cairo_scaled_font_subset_create_glyph_names (subset=0xb6a26fbc)
_cairo_ps_surface_emit_unscaled_font_subset (font_subset=0xb6a26fbc, closure=0xb484b570)

Changed in evince:
importance: Undecided → Medium
Download full text (5.6 KiB)

The bug has been opened on https://bugs.launchpad.net/bugs/208485

"attempting to print this pdf with evince in Hardy:
http://www.linux-magazine.com/w3/issue/86/Email_Suites_Review.pdf

#0 0xb6e24df1 in FT_Get_Char_Index (face=0xb54f0530, charcode=0)
    at /build/buildd/freetype-2.3.5/freetype-2.3.5/src/base/ftobjs.c:2794
 result = <value optimized out>
#1 0xb6e24ea2 in FT_Get_First_Char (face=0xb54f0530, agindex=0xb6a26e28)
    at /build/buildd/freetype-2.3.5/freetype-2.3.5/src/base/ftobjs.c:2812
 result = <value optimized out>
 gindex = 0
#2 0xb75e84d1 in _cairo_ft_map_glyphs_to_unicode (abstract_font=0xb54edcd8, font_subset=0xb6a26fbc)
    at /build/buildd/cairo-1.5.14/src/cairo-ft-font.c:2414
 unscaled = (cairo_ft_unscaled_font_t *) 0xb48676d8
 face = (FT_Face) 0xb54f0530
 glyph = <value optimized out>
 charcode = <value optimized out>
 i = <value optimized out>
 count = 50
#3 0xb75dd567 in _cairo_scaled_font_subset_create_glyph_names (subset=0xb6a26fbc)
    at /build/buildd/cairo-1.5.14/src/cairo-scaled-font-subsets.c:768
 i = <value optimized out>
 status = <value optimized out>
 names = (cairo_hash_table_t *) 0x3057
 key = {base = {hash = 3035627520},
  string = 0xb4f32fa8 "%!FontType1-1.1 f-50-0 1.0\n11 dict begin\n/FontName /f-50-0 def\n/PaintType 0 def\n/FontType 1 def\n/FontMatrix [0.001 0 0 0.001 0 0] readonly def\n/FontBBox {-24 -199 857 744", ' ' <repeats 30 times>...}
 entry = <value optimized out>
 buf = "\000\000 P_·\000o¢¶\000\000\000\000¨n¢¶\032¼]·¨/ó´¨/ó´"
#4 0xb75c61dd in _cairo_ps_surface_emit_unscaled_font_subset (font_subset=0xb6a26fbc, closure=0xb484b570)
    at /build/buildd/cairo-1.5.14/src/cairo-ps-surface.c:574
 status = <value optimized out>
 __PRETTY_FUNCTION__ = "_cairo_ps_surface_emit_unscaled_font_subset"
#5 0xb75ddaeb in _cairo_sub_font_collect (entry=0xb54fd4f0, closure=0xb6a2703c)
    at /build/buildd/cairo-1.5.14/src/cairo-scaled-font-subsets.c:425
 subset = {scaled_font = 0xb54edcd8, font_id = 2, subset_id = 0, glyphs = 0xb5c961e0,
  to_unicode = 0xb5c05a50, glyph_names = 0x0, num_glyphs = 50, is_composite = 0}
 i = 0
 j = 50
 __PRETTY_FUNCTION__ = "_cairo_sub_font_collect"
#6 0xb75a6dac in _cairo_hash_table_foreach (hash_table=0xb54f5ed0,
    hash_callback=0xb75dda00 <_cairo_sub_font_collect>, closure=0xb6a2703c)
    at /build/buildd/cairo-1.5.14/src/cairo-hash.c:565
 i = 121
 entry = (cairo_hash_entry_t *) 0x0
#7 0xb75dd931 in _cairo_scaled_font_subsets_foreach_internal (font_subsets=0xb5ce1290,
    font_subset_callback=0xb75c61a0 <_cairo_ps_surface_emit_unscaled_font_subset>, closure=0xb484b570,
    is_scaled=0) at /build/buildd/cairo-1.5.14/src/cairo-scaled-font-subsets.c:680
 collection = {glyphs = 0xb5c961e0, glyphs_size = 65, max_glyph = 49, num_glyphs = 50, subset_id = 0,
  status = CAIRO_STATUS_SUCCESS,
  font_subset_callback = 0xb75c61a0 <_cairo_ps_surface_emit_unscaled_font_subset>,
  font_subset_callback_closure = 0xb484b570}
#8 0xb75c69eb in _cairo_ps_surface_finish (abstract_surface=0xb484b570)
    at /build/buildd/cairo-1.5.14/src/cairo-ps-surface.c:625
 status = <value optimized out>
 status2 = <value optimized out>
 i = <value optimized out>
 num_comments = <value optim...

Read more...

Download full text (3.4 KiB)

Valgrind lists those errors on the example

==2516== Conditional jump or move depends on uninitialised value(s)
==2516== at 0x4B5E062: (within /usr/lib/libz.so.1.2.3.3)
==2516== by 0x4B5CBE6: deflate (in /usr/lib/libz.so.1.2.3.3)
==2516== by 0x49DAFDE: cairo_deflate_stream_deflate (cairo-deflate-stream.c:57)
==2516== by 0x49DB0A5: _cairo_deflate_stream_close (cairo-deflate-stream.c:108)
==2516== by 0x49C7180: _cairo_output_stream_close (cairo-output-stream.c:192)
==2516== by 0x49C7FFC: _cairo_output_stream_destroy (cairo-output-stream.c:216)
==2516== by 0x49D2D9D: _cairo_pdf_surface_close_stream (cairo-pdf-surface.c:879)
==2516== by 0x49D64E8: _cairo_pdf_surface_emit_pattern (cairo-pdf-surface.c:1453)
==2516== by 0x49D7208: _cairo_pdf_surface_show_page (cairo-pdf-surface.c:3929)
==2516== by 0x49BE9DF: cairo_surface_show_page (cairo-surface.c:1746)
==2516== by 0x49CB492: _cairo_paginated_surface_show_page (cairo-paginated-surface.c:468)
==2516== by 0x49BE9DF: cairo_surface_show_page (cairo-surface.c:1746)
==2516== by 0x49AF187: _cairo_gstate_show_page (cairo-gstate.c:1082)
==2516== by 0x49A7991: cairo_show_page (cairo.c:2207)
==2516== by 0x7FA9F37: (within /usr/lib/evince/backends/libpdfdocument.so)
==2516== by 0x404D6D8: ev_file_exporter_end_page (in /usr/lib/libevbackend.so.0.0.0)
==2516== by 0x80606DC: (within /usr/bin/evince)
==2516== by 0x805F583: (within /usr/bin/evince)
==2516== by 0x805FA4B: (within /usr/bin/evince)
==2516== by 0x4AA09EE: g_thread_create_proxy (gthread.c:635)
==2516== by 0x4CDCFD9: start_thread (pthread_create.c:297)
==2516== by 0x4DB483D: clone (in /usr/lib/debug/libc-2.7.so)
==2516==
==2516== Use of uninitialised value of size 4
==2516== at 0x4B5F655: (within /usr/lib/libz.so.1.2.3.3)
==2516== by 0x4B61491: (within /usr/lib/libz.so.1.2.3.3)
==2516== by 0x4B5E0A2: (within /usr/lib/libz.so.1.2.3.3)
==2516== by 0x4B5CBE6: deflate (in /usr/lib/libz.so.1.2.3.3)
==2516== by 0x49DAFDE: cairo_deflate_stream_deflate (cairo-deflate-stream.c:57)
==2516== by 0x49DB0A5: _cairo_deflate_stream_close (cairo-deflate-stream.c:108)
==2516== by 0x49C7180: _cairo_output_stream_close (cairo-output-stream.c:192)
==2516== by 0x49C7FFC: _cairo_output_stream_destroy (cairo-output-stream.c:216)
==2516== by 0x49D2D9D: _cairo_pdf_surface_close_stream (cairo-pdf-surface.c:879)
==2516== by 0x49D64E8: _cairo_pdf_surface_emit_pattern (cairo-pdf-surface.c:1453)
==2516== by 0x49D7208: _cairo_pdf_surface_show_page (cairo-pdf-surface.c:3929)
==2516== by 0x49BE9DF: cairo_surface_show_page (cairo-surface.c:1746)
==2516== by 0x49CB492: _cairo_paginated_surface_show_page (cairo-paginated-surface.c:468)
==2516== by 0x49BE9DF: cairo_surface_show_page (cairo-surface.c:1746)
==2516== by 0x49AF187: _cairo_gstate_show_page (cairo-gstate.c:1082)
==2516== by 0x49A7991: cairo_show_page (cairo.c:2207)
==2516== by 0x7FA9F37: (within /usr/lib/evince/backends/libpdfdocument.so)
==2516== by 0x404D6D8: ev_file_exporter_end_page (in /usr/lib/libevbackend.so.0.0.0)
==2516== by 0x80606DC: (within /usr/bin/evince)
==2516== by 0x805F583: (within /usr/b...

Read more...

Sebastien Bacher (seb128) wrote :

Thanks for your bug report. This bug has been reported to the developers of the software. You can track it and make comments here: http://bugs.freedesktop.org/show_bug.cgi?id=15302

Changed in freetype:
status: New → Triaged
Changed in libcairo:
status: Unknown → Confirmed
Zoubidoo (zoubidoo) wrote :

I can confirm same problem on Hardy. The bug hasn't received any attention in the last 14 days :-(

Does this bug still occur after updating poppler to include the following bug fix?

http://bugs.freedesktop.org/show_bug.cgi?id=15216

yes that's still an issue using the current poppler tarball which has this change

Nigel Cundy (nigel-cundy) wrote :

I had the same problem with http://arxiv.org/pdf/0707.0131v2

I'm attaching my apport crash report

I installed Hardy and could reproduce the bug. I then installed poppler 0.8.3. However due to some poppler API changes the evince in Hardy does not link with the updated poppler I installed:

$ LD_LIBRARY_PATH=/home/ajohnson/lib ldd /usr/bin/evince | grep poppler
        libpoppler-glib.so.2 => /usr/lib/libpoppler-glib.so.2 (0xb7736000)
        libpoppler.so.2 => /usr/lib/libpoppler.so.2 (0xb6ee7000)

Evince still reproduces the bug since it is still using the system installed poppler.

So I applied the patch in bug 15216 to poppler 0.6.4, installed it and evince printed the test case without crashing.

This is the same problem that was reported and fixed in bug 15216.

I am attaching an updated patch for poppler 0.6.4 since the original patch does not apply cleanly to this old version of poppler that Hardy is using.

Created an attachment (id=17119)
Patch for 0.6.4

Changed in libcairo:
status: Confirmed → Fix Released

thanks Adrian the change indeed fix the issue, I tried previously on ubuntu intrepid which has poppler 0.8.2 and the bug was still there but maybe the change was not available yet in this version, sorry for the extra work there

Sebastien Bacher (seb128) wrote :

that's a poppler issue and should be fixed in the new intrepid version

Changed in cairo:
status: Triaged → Fix Released
Changed in poppler:
importance: Undecided → Medium
status: New → Confirmed
Sebastien Bacher (seb128) wrote :
Martin Pitt (pitti) wrote :

Accepted into -proposed, please test and give feedback here

Changed in poppler:
status: Confirmed → Fix Committed
Martin Pitt (pitti) wrote :

I can reproduce the crash with the current Hardy version. I'll test the proposed fix.

Changed in poppler:
assignee: nobody → pitti
status: Fix Committed → Confirmed
status: Confirmed → Fix Committed
Martin Pitt (pitti) wrote :

With the poppler packages from -proposed, the test case PDFs print fine.

Martin Pitt (pitti) on 2008-06-18
Changed in poppler:
assignee: pitti → nobody
Martin Pitt (pitti) wrote :

Copied to hardy-updates.

Changed in poppler:
status: Fix Committed → Fix Released

the change has been backported to hardy but creates a regression, now evince is crashing when reloading documents

(gdb) bt
#0 FT_Done_Face (face=0xb455dd48) at /build/buildd/freetype-2.3.6/freetype-2.3.6/src/base/ftobjs.c:2020
#1 0xb75ceb0d in _ft_done_face (data=0xb455dd48) at CairoFontEngine.cc:37
#2 0xb74601b0 in _cairo_user_data_array_fini (array=0xb455dc7c) at /build/buildd/cairo-1.6.4/src/cairo-array.c:378
#3 0xb74640b3 in *INT_cairo_font_face_destroy (font_face=0xb455dc70) at /build/buildd/cairo-1.6.4/src/cairo-font-face.c:144
#4 0xb74aa8b0 in _cairo_ft_unscaled_font_destroy (abstract_font=0xb455e010) at /build/buildd/cairo-1.6.4/src/cairo-ft-font.c:495
#5 0xb7463e98 in _cairo_unscaled_font_destroy (unscaled_font=0xb455e010) at /build/buildd/cairo-1.6.4/src/cairo-font-face.c:531
#6 0xb74717e7 in _cairo_scaled_font_fini (scaled_font=0xb4560210) at /build/buildd/cairo-1.6.4/src/cairo-scaled-font.c:587
#7 0xb74718ac in *INT_cairo_scaled_font_destroy (scaled_font=0xb455e0e8) at /build/buildd/cairo-1.6.4/src/cairo-scaled-font.c:843
#8 0xb75ce0ff in CairoFont::getSubstitutionCorrection (this=0xb44046a0, gfxFont=0x83f0870) at CairoFontEngine.cc:307
#9 0xb75d1f4f in CairoOutputDev::updateFont (this=0x8411a60, state=0x84405f8) at CairoOutputDev.cc:390
#10 0xb6d0d0c2 in Gfx::opShowSpaceText () from /usr/lib/libpoppler.so.3
#11 0xb6d08e02 in Gfx::execOp () from /usr/lib/libpoppler.so.3
#12 0xb6d0905f in Gfx::go () from /usr/lib/libpoppler.so.3
#13 0xb6d0c1bf in Gfx::display () from /usr/lib/libpoppler.so.3
#14 0xb6d551cd in Page::displaySlice () from /usr/lib/libpoppler.so.3
#15 0xb75ca01a in _poppler_page_render (page=0x83bd518, cairo=0x83edda0, printing=0) at poppler-page.cc:529
#16 0xb75ca157 in poppler_page_render (page=0x83bd518, cairo=0x83edda0) at poppler-page.cc:550

Download full text (3.8 KiB)

corresponding valgrind log

==30405== Invalid read of size 4
==30405== at 0x507AF64: FT_Done_Face (ftobjs.c:2017)
==30405== by 0x494EB0C: _ZL13_ft_done_facePv (CairoFontEngine.cc:37)
==30405== by 0x4A661AF: _cairo_user_data_array_fini (cairo-array.c:378)
==30405== by 0x4A6A0B2: cairo_font_face_destroy (cairo-font-face.c:144)
==30405== by 0x4AB08AF: _cairo_ft_unscaled_font_destroy (cairo-ft-font.c:495)
==30405== by 0x4A69E97: _cairo_unscaled_font_destroy (cairo-font-face.c:531)
==30405== by 0x4A777E6: _cairo_scaled_font_fini (cairo-scaled-font.c:587)
==30405== by 0x4A778AB: cairo_scaled_font_destroy (cairo-scaled-font.c:843)
==30405== by 0x4A6B4E7: _cairo_gstate_unset_scaled_font (cairo-gstate.c:1219)
==30405== by 0x4A6B53D: _cairo_gstate_set_font_face (cairo-gstate.c:1492)
==30405== by 0x4A634CE: cairo_set_font_face (cairo.c:2688)
==30405== by 0x4951F2D: CairoOutputDev::updateFont(GfxState*) (CairoOutputDev.cc:383)
==30405== Address 0x70758d8 is 16 bytes inside a block of size 84 free'd
==30405== at 0x4023B4A: free (vg_replace_malloc.c:323)
==30405== by 0x4B455B5: g_free (gmem.c:190)
==30405== by 0x4A3CFB9: pango_parse_markup (in /usr/lib/libpango-1.0.so.0.2101.2)
==30405== by 0x458C796: (within /usr/lib/libgtk-x11-2.0.so.0.1303.0)
==30405== by 0x4AD34CE: g_object_set_property (gobject.c:697)
==30405== by 0x460A784: (within /usr/lib/libgtk-x11-2.0.so.0.1303.0)
==30405== by 0x4610904: (within /usr/lib/libgtk-x11-2.0.so.0.1303.0)
==30405== by 0x4610F04: (within /usr/lib/libgtk-x11-2.0.so.0.1303.0)
==30405== by 0x49735DA: (within /usr/lib/libgdk-x11-2.0.so.0.1303.0)
==30405== by 0x4B3B540: g_idle_dispatch (gmain.c:4168)
==30405== by 0x4B3D437: g_main_context_dispatch (gmain.c:2063)
==30405== by 0x4B4099A: g_main_context_iterate (gmain.c:2696)
==30405==
==30405== Invalid read of size 4
==30405== at 0x507A68F: FT_List_Find (ftutil.c:250)
==30405== by 0x507AF88: FT_Done_Face (ftobjs.c:2023)
==30405== by 0x494EB0C: _ZL13_ft_done_facePv (CairoFontEngine.cc:37)
==30405== by 0x4A661AF: _cairo_user_data_array_fini (cairo-array.c:378)
==30405== by 0x4A6A0B2: cairo_font_face_destroy (cairo-font-face.c:144)
==30405== by 0x4AB08AF: _cairo_ft_unscaled_font_destroy (cairo-ft-font.c:495)
==30405== by 0x4A69E97: _cairo_unscaled_font_destroy (cairo-font-face.c:531)
==30405== by 0x4A777E6: _cairo_scaled_font_fini (cairo-scaled-font.c:587)
==30405== by 0x4A778AB: cairo_scaled_font_destroy (cairo-scaled-font.c:843)
==30405== by 0x4A6B4E7: _cairo_gstate_unset_scaled_font (cairo-gstate.c:1219)
==30405== by 0x4A6B53D: _cairo_gstate_set_font_face (cairo-gstate.c:1492)
==30405== by 0x4A634CE: cairo_set_font_face (cairo.c:2688)
==30405== Address 0x5d8928f4 is not stack'd, malloc'd or (recently) free'd
==30405==
==30405== Process terminating with default action of signal 11 (SIGSEGV)
==30405== Access not within mapped region at address 0x5D8928F4
==30405== at 0x507A68F: FT_List_Find (ftutil.c:250)
==30405== by 0x507AF88: FT_Done_Face (ftobjs.c:2023)
==30405== by 0x494EB0C: _ZL13_ft_done_facePv (CairoFontEngine.cc:37)
==30405== by 0x4A661AF: _cairo_u...

Read more...

the 0.8.2 version has been used to get the stacktrace and valgrind log

There was a recent bug report and patch for this problem posted to the poppler mailing list:

http://lists.freedesktop.org/archives/poppler/2008-June/003900.html

there is no reply on the list, should I open a new bug about the issue?

Sebastien Bacher (seb128) wrote :

the change is creating a regression apparently, see bug #242865

toobuntu (toobuntu) wrote :

Using the packages from -proposed resolves this issue for me and the pdfs print okay now.

(In reply to comment #11)
> there is no reply on the list, should I open a new bug about the issue?
>

As it is a different bug to this one, yes open a new bug.

bug #16529 opened about the issue

Changed in libcairo:
importance: Unknown → Medium
Changed in libcairo:
importance: Medium → Unknown
Changed in libcairo:
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.